Hi all,
Just documenting the info I found with regard to the keyPassphrase from the /home/sailpoint/config.yaml configuration as I couldn’t find a proper document.
SailPoint says that the same passphrase should be used for all VAs belonging to a cluster. The passphrase we set (e.g. keyPassphrase: myUnsecurePassphrase) is encrypted before/when the CCG service is started (the value will be replaced with a base64 encoded string that starts with ::::).
Because the encryption uses the same key and same salt value on all VAs, you can check if the same key passphrase was used on both VAs by just comparing the encrypted values (e.g. keyPassphrase: '::::xxxxxxxxxxxxxxxxxxx' should be the same in both files).
If you don’t know the passphrase anymore on one of your VAs and you want to sync the passphrase, you could just set the same encrypted value in config.yaml and restart the service.
One bug that I’ve seen is that if you set the unencrypted value like this: keyPassphrase: 'myUnsecurePassphrase', you’ll end up with a value like this: keyPassphrase: ''::::xxxxxxxxxxxxxxxxxxx'' (that is double single quotes), and CCG won’t start anymore. Replace the two single quotes with one single quote, restart CCG.
Best regards,
Andrei